The amount of risk an organization is willing to accept, or its risk appetite, must be determined by each organization. Risk appetite refers to the amount and type of potential vulnerabilities and threats the organization is willing to tolerate and endure. This is another balancing act as the organization determines how much risk they are willing to endure versus how much it would cost to mitigate the risk and the difficulty of implementing mitigation strategies.

The client's key stakeholders need to determine their risk appetite by answering questions such as:

  • What losses would be catastrophic to the organization?
  • What processes, technology, or other assets can be unavailable and still enable the organization to function, and for how long?
  • What assets, processes, information, or technology must be available at all times, and cannot be made public or be accessed by unapproved persons?
  • Are there any circumstances that could result in personal harm to anyone dealing with the organization, be it employees, customers, business partners, or visitors?

Your pen test report should account for the client's risk appetite. For example, you can determine the level of risk a vulnerability poses by using the standard "Probability x Impact" formula. Then, you can compare the result of this assessment to the organization's risk appetite and determine whether or not the risk falls within the accepted tolerance level. You can do this in a number of ways, including visually through charts and graphs. This will help the client organization better understand the impact of a risk than if you had simply quantified the risk without regard to the client's appetite.

Graphing an organization's risk appetite